Healthcare: Is cybersecurity becoming one of the biggest compliance issues?
Estimated reading time: 5 minutes
How to prevent staff from (accidentally) giving cybercrooks access to patients’ electronic health records
Cybersecurity in healthcare has become more important than ever before. In 2015 alone, cyberattacks cost the US healthcare industry more than $6 billion. Therefore, the latest wave of cybercrime hitted healthcare the hardest. Especially electronic healthcare records are precious goods. So precious in fact, that over the next five years, 1 in 13 patients will have their personal data compromised. So, sensitive patient information is handed over almost voluntarily…
The healthcare industry is so focused on regulatory compliance, cybersecurity has largely been a secondary thought. This translates into a disastrous number of security breaches. Last year, over 113 million electronic records were compromised, according to Office of Civil Rights under Health and Human Services. But how do cybercriminals get their hands on electronic health records so effortlessly?
“You can easily point fingers, but you are probably the most likely culprit is probably you”, says Steve Osborn. Osborn is a healthcare communication specialist for over 20 years. According to IBM’s Cyber Security Intelligence Index, human error causes 95 percent of all security breaches. “When we’re talking about human error, we’re not talking about malicious inside attacks. For example, hospital staffers that click on a link in an email that looks genuine at first glance”, Osborn explains. “So, when it comes to protecting your facility against cybercrime, nowadays the question isn’t: “is my security technology up to par? The question is: ‘are my employees up to par?’ ”, says Osborn.
Education is the key
So, how do you protect electronic health records from ending up in the wrong hands? Studies show that up to 70 percent of cyberattacks can be avoided by effective employee training. “Healthcare facilities need to educate their employees. ‘This is what a phishing attack looks like.’ ‘Here’s how you can spot a spoofed browser.’ ‘Look at this email, what’s odd about it?”, says Osborn. “However, there is a ‘but’”, according to Osborn. “Without review, we forget 90 percent of what we learn within 30 days. Even 20 mins later, we lost already 40 percent of what we taught.”
“The same goes for cybersecurity training”, explains Osborn. “An initial training to educate people on cybersecurity is great. However, it seems pointless if the majority of acquired knowledge is lost within one month. But then, how do you make people remember?”
Healthcare cybersecurity compliance through repetition
Repetition is proven to be far more effective than just a one-time training. “Unlike a one-time training, repetitively sharing small chunks of information creates permanent knowledge and awareness”, says Osborn. “In this case, remind your staff members on a regular basis of the cyber threats that are out there. In addition, you should let them recognize them and how to guard your facility against them.”
“However, you don’t have time to dragg staff members into a million and one training sessions. But, you can still repetitively reach your staff members without taking them away from their daily activities. You can do this is multiple different ways. For example, some facilities prefer poster campaigns, other facilities take it up a notch and show compliance information on their screensaver, digital signage screens. COWs … you name it”, according to Osborn.
Repetition has previously worked to improve other compliance issues at numerous healthcare facilities. “The University of Tennessee Medical Center, for example, promotes hygiene by continuously reminding team members to wash their hands and their stethoscopes after each patient contact. They do this by looping compliance messages on every TV screen throughout their facility and display a screensaver on 6,000 PCs. VCU Health in Richmond (VA) also uses its screensaver to continuously display error prevention messages on 7,000 PCs,” explains Osborn.
The same can be done for cybersecurity. “It really doesn’t matter how you do it, it’s, however, extremely important thát you do it”, stresses Osborn. “Just put a little effort into reminding your staff members of what they can and should do to prevent security breaches from happening at your facility. This way, you truly make cybersecurity the least of all your compliance worries.”